CVE-2026-21511
Published: 10 February 2026
Summary
CVE-2026-21511 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Email Spoofing (T1684.002); ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-21511 is a deserialization of untrusted data vulnerability (CWE-502) in Microsoft Office Outlook. Published on 2026-02-10T18:16:33.337, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue enables an unauthorized attacker to perform spoofing over a network through processing untrusted data.
The vulnerability can be exploited by any unauthorized attacker with network access, requiring low attack complexity, no privileges, and no user interaction. Successful exploitation allows the attacker to achieve spoofing, with a high impact on confidentiality but no impact on integrity or availability.
Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21511.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7331
Vulnerability details
Deserialization of untrusted data in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization flaw in Outlook directly enables email spoofing attacks over the network with no user interaction required.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific deserialization flaw in Microsoft Office Outlook by requiring timely identification, reporting, and patching.
Validates untrusted network inputs to Outlook prior to deserialization, preventing exploitation of CWE-502 for spoofing.
Implements memory protections such as DEP and ASLR to block unauthorized code execution from deserialization of untrusted data.